30 years of failure: the username/password combination

We've known for decades that humans have a limited ability to associate …

A lot of the effort involved in establishing a secure computing environment focuses on technological solutions, from providing warnings about phishing attacks to blocking the propagation of botnets. But, as previous research has shown, security involves a significant human component. Nowhere is that more true than the item at the heart of basic security: the humble password. Here, our best practices—something that's not in the dictionary or written down, differs for every account, etc.—ignores basic research, which shows that humans have a limited capacity to associate random text with, well, just about anything. A new survey of institutional IT users provides a glimpse into just how bad the password situation is, with less than five percent of users managing to use best practices.

What is perhaps most striking about the new study, which is being published in the Proceedings of the Human Factors and Ergonomics Society, is its background section, which details just how long we've been aware of the password problem. It cites a study of Unix passwords from 1979, which showed that about 30 percent of the passwords were four characters or less, and about 15 percent being words that appear in the dictionary. Fast forward to 2006, when a separate survey of 34,000 MySpace passwords revealed that the most common were "password1", "abc123", "myspace1", and "password".

But it's not simply that we have empirical evidence suggesting that passwords are easy to crack; neuroscience has indicated that the human brain simply doesn't perform well at free-associating text that, on its own, has little inherent meaning. As one of the papers cited puts it, "the multiple-password management crisis [can be viewed as] a search and retrieval problem involving human beings' long-term memory." And, although our long-term memory for images and words that we've assigned meanings to is quite good, we don't do as well with passwords, which (ideally, at least) should look like a near-random string of characters. It's another challenge entirely to remember which password to associate with a specific account.

So, there's an obvious tension between what we know what we should do, and what actually can be done when it comes to passwords. The authors of the new study conducted several focus groups with network administrators to identify likely sources of problems for users. They used this information to craft a survey of password habits, which they administered to 836 employees of an organization that handled sensitive private data and provided all employees with computer security training. Obviously, a more diverse survey population would have been nice, but the single employer at least allowed a degree of consistency in terms of the security training.

The authors condensed the results into a measure of how many deviations from ideal password practices a given user committed, such as using a short password, not mixing characters and symbols, writing the password down or reusing it, etc. All told, only 4.4 percent avoided any deviations from the rules, and the majority violated three or more. "In reality," the authors note, "the results are probably worse, because respondents do not like to admit that they deviate from the rules."

Experience made a difference, as expert and advanced computer users tended to outperform the novices. But there were limits; actual network administrators, for example, didn't behave in a manner that was significantly different from an average user. One possibly disturbing development was noted: about seven percent of the respondents had become cynical about computer security, having decided that no amount of adherence to best practices would protect them from hackers. Fortunately, this group seemed to be just as good (or just as bad) about using best practices as the rest of the population.

In a lot of ways, the results shouldn't surprise anyone, given what we know about the operation of human memory: if you give users a task that's nearly impossible, they won't do it. The fact that the organization involved handles sensitive data and trains its users on how to protect it doesn't change that reality. What the study may accomplish is to help drive home the need to stop expecting the impossible. The authors suggest a variety of alternative authentication systems, from biometrics and hardware-based certification to systems that rely on aspects of memory that humans handle more easily, such as image-based systems. Until IT administrators get over old habits, however, the availability of alternatives will have a limited impact.

Password rules hardly matter when most people's browser simply remembers the username and password for all their sites. For all the security that represents, sites may as well have a cookie that automatically logs on the users.

A really interesting detail that isn't mentioned is what happens when you add on some IT-admins preference for requiring password changes regularly.

Imagine having to have long, safe and different random passwords for eg. 10 systems. Then imagine that you are forced to change those passwords eg every 2 months.

Now what will be the reaction to this demand from the users? Lots of amazing safe and random passwords? No - it will be bad passwords and passwords reused on all systems, etc. Because quite frankly anything else is not humanly possible unless you have photographic memory or some autism.

I gave up a while ago and started using 1Password. Granted, there's a weakness there since if you discover the password to 1Password, you get the rest for free, but it's a hell of a lot easier to remember one really long random password than 50 or 100. And since there's only one, I can remember it without having it written down anywhere.

EDIT: One other thing I've found that helps is those little meters that tell you you've just put in a weak password. No one wants to be accused of weakness

Originally posted by fletc3her:Password rules hardly matter when most people's browser simply remembers the username and password for all their sites. For all the security that represents, sites may as well have a cookie that automatically logs on the users.

Assuming you're talking about in the workplace, your net admins suck-ass if they aren't blocking your users' browsers from offering this capability.

It's actually not that hard to remember a ~12 character random ASCII string; after typing it in a few times it just becomes automatic. My siblings and I used to do it all the time for online games as we were paranoid that some loser with nothing better to do would try to brute force our accounts (yeah, I know, online games aren't that important but we were/are kids). We even stopped playing those games for over half a year and still remembered them when we came back. It simply requires more effort than using 'cheesedoodles' as a password for everything. To be fair though, we only used unique complex passwords for games, and only a few. If we bothered to do it for everything we may have had a problem. We're also young, so our memory hasn't started to fail us yet.

"A new survey of institutional IT users provides a glimpse into just how bad the password situation is, with less than five percent of users managing to use best practices."

You might also ask how many security problems are really caused by by breaking someone's passwords. You might also ask how much security problems are caused by the idiots who manage software systems. Forcing users to change passwords is one of the stupidist processes around.

I think that most places go way overboard with this. If you really need a 12+ alpha-numeric character password, that has no repeating characters, does not spell any word found in a dictionary, has at least 2 uppercase, 2 lowercase, 2 numbers and 2 special symbols, has to be changed every 12 weeks and can not be any of the last 25 passwords, (or closer than a 50% match to one of them) then you probably should just go to a smart card (http://en.wikipedia.org/wiki/Common_Access_Card) + finger print scanning and be done with it. (have the print scanner check for a pulse while your at it)

Game account been hacked before: WTF?n00b! (best password I've ever come up with.. too bad I can't use it anymore, now that I've just pasted it onto teh interwebs)

The thing is you have to invest a bit of time at the beginning to come up with passwords that are memorable, creative, related to what you're doing, and strong. Once you do that, typing them becomes second nature after a few uses. Even your least used passwords (like my firewall example above) just take a few tries when you're used to the fact that you make your passwords that way. Even less if you always follow a personal pattern... like "the first word starts lowercase but the second one starts uppercase, and it ends with a special char..."

Have to cycle them often? If they're strong enough you can stick a number in there somewhere and increment it. Not the most secure thing but as long as it's not obvious to anyone who obtains the pass that "this is where I put my incrementing number" then it shouldn't be too bad - better surely than password1 or abc123.

As a sysadmin I've got literally a dozen of these at work. We used to use a random sequence generator which then required us to carry the passwords on little cards in our wallets because we'd forget them all the time - not the most secure idea! Now I just think of -what- I'm working on, and the pass comes to me.

Here's the thing. I used to work at a company with sane policies: yearly changes. Then they became subject to government regulations, which made us change our policy to two months, at least 1 capital and 1 number.

My password went from l33tspeak two-word non sequitors that referenced a term from another language (actual example: 'L4ps@ng.s0upchaNGe') to Password1, Password2 through Password0.

(employee survey proved the popularity of "SpousenameN")

If you're going to have a password policy, make it monthly l0phtcracking.

It's actually not that hard to remember a ~12 character random ASCII string; after typing it in a few times it just becomes automatic.

I have 4 different passwords for 4 different systems at work. All of them need to be fairly complex passwords, and all of them change on a regular basis (every 3 months). Add on to that the dozens of usernames/passwords that I use in my personal life, and it quickly becomes impossible to simply remember them.

Any given string of text may become automatic, but when they all need to change regularly (but not all at the same time, mind you) then it becomes, for all practical purposes, impossible.

My personal pet-peeve is when a company's computer-enforced password rules mandate that you must have only one number, cannot repeat any letters, cannot use dictionary words (forwards or backwards), must have at least one capital, can't have a number for the first or last digit, must be exactly 6 characters.

And a change every month?

Well, good thing qW3ert, aS5dfg, zX3cvb and so on are all acceptable and easy to remember.

Make the rules too frustratingly strict and there'll only be twenty passwords to pick from. :P

(Edit: My point being, if the rules are too hard on people, they'll probably just take the easiest way out rather than making something unique and hard to crack)

Agree with the hate on mandatory changes. I have a couple of VERY secure passwords that I will never forget and that would be extraordinarily hard to guess. Numbers, capitals, lowercase. No symbols. Why can't I use it?

Originally posted by Jackattak:People who think security is a chore deserve everything they get.

Sorry, that's a dumb thing to say. Someone's stupid about the passwords they choose so they deserve to have their online bank account broken into and all their money stolen? Or their facebook hijacked and their secrets disseminated far and wide by a bunch of malicious idiots from 4chan? Seems like a pretty twisted morality you have, if you think someone deserves that just for choosing a weak password. I wouldn't wish that stuff on anyone.

I have been having this fight at work for quite a while now. We currently require 15 character non word, 1 upper caser, 1 number passwords. Problem is that some older systems don't support that. What I can't seem to get through people's heads is that making passwords longer is the wrong answer. The problem is brute force attacks. The correct answer is not allowing unlimited tries to log into an account. I run fail2ban on my ssh servers and I have had only 1 user in years actually get banned. And it was easy enough to fix. And they would have had to contact me anyway to get their password reset because the obviously forgot it. Really, if you cant get the password in 5 tries, your account should be locked, because either you forgot the password, or its been compromised and changed to something else by an intruder. Why don't people get this?

Originally posted by Kazper:Imagine having to have long, safe and different random passwords for eg. 10 systems. Then imagine that you are forced to change those passwords eg every 2 months.

...

In that manner many IT-admins actually weaken their network security.

DING! Fries are done. Then there is the 3 character classes must be used, and no password reuse, etc. And the galling thing is that you can't use more than 8 characters.

You can't do that to people. Either you get little slips of paper hidden in various spots or simple algorithms to accomodate constant passord expiration. I have 4 domain accounts and a number of UNIX machines to log into, besides my primary loginID. Most expire every 90 days. Some are 180. At least with the UNIX machines I can run a password reset utility. I do that fairly often, especially if I haven't logged into a particular machine in a couple months.

Originally posted by fletc3her:Password rules hardly matter when most people's browser simply remembers the username and password for all their sites. For all the security that represents, sites may as well have a cookie that automatically logs on the users.

Not good to rely on, especially since Firefox keeps them in plain text (unless you set up a password). And if you've ever had a hardware failure, or forgot to backup before reinstalling, or there's some future update that breaks compatibility, or need a password while on another machine....

I went with Keepass in the end. It does mean that if my physical machine is compromised I'm totally screwed, a keylogger and a copy of my Keepass database is all they need. And if at some future date Keepass is cracked, it's even more vulnerable.

Which does raise an interesting point, a keylogger makes your password useless, regardless of what it is. A pretty basic password is going to be pretty difficult to crack unless the CIA investigates your life or the password is "password". Make it your cat's name with your birthdate thrown after it, how is that really going to be cracked?

I find the security planning and execution to be quite amusing over here at my workplace. They have smartcard based security over here at our workplace but for some reason, contractors don't get one. So contractors are forced to adhere to the usual user/password policies (strong password, rotational every two months stuff) instead of just using a smartcard.

And I bet the reason is that the smartcard system they are using is tied to some internal software system that they are using. Since contractors aren't using that particular system, so we aren't issued one.

Its this kind of thinking that makes me gnash my teeth in frustration.

I'm not sure why people don't use algorithmically generated passwords more. For example, the first letter of each word in a sentence, with some rule for capitals and lower case, and replacing certain letters with numbers. Sentences are easy to remember.

I also like the suggestion, where applicable, to limit password retries so you don't need a very hard-to-guess password.

I agree with all this, but I can't say that I was impressed by the first study. So someone can pretend to be me on MySpace? Big deal! What are they going to do, write rude things to all my friends and make them hate me?

I have strong passwords for the three or four accounts that matter because they involve money transfers. I have the same weak password for everything else because I don't give a toss whether someone breaks into them or not.

Password choice is all well and good, but the real problem is the sheer number of systems that one is forced to login to on a daily basis.

At work alone, I have probably 10+ systems requiring authentication that I use on a daily basis, and then there's the personal ones. Every system has their own (different) set of draconian requirements. I can easily remember 1 long obscure string, but start to fail seriously at 10+.

There are the people who add an additional rule for themselves (e.g. somehow incorporate the service name into the password) but that's just one more rule to comply with on top of all the existing ones.

Originally posted by Kazper:Imagine having to have long, safe and different random passwords for eg. 10 systems. Then imagine that you are forced to change those passwords eg every 2 months.

Now what will be the reaction to this demand from the users? Lots of amazing safe and random passwords? No - it will be bad passwords and passwords reused on all systems, etc. Because quite frankly anything else is not humanly possible unless you have photographic memory or some autism.

{Raises hand} We have smart cards to log into our network. Its the other 19 mandatory web sites with constantly rotating password changes of arcane complexity and can NEVER repeat. So, on the same day every month, every one of them gets changed to the same new password... which is the same as the old password with a different last character. When I run out of keys on the keyboard, it might be a sign it's time to quit.

Unsafe practice, but it keeps me sane and the alternative is the dreaded post-it note.

Acronyms can be the savior: It's not hard to remember the first letters to the first line of lyrics of your currently-favorite song, for example. L33t them up a bit, and you've got a hell of a never-ending battery of long, complex, easily-remembered passwords.

So I switched from 1password to lastpass a few months ago. They are cross platform and availible online so if I lose my laptop or want to use my wife's computer it's easy (and I can share passwords with her). Also they make autopassword generation and updating really easy.

With a nice password manager like this good practices are actually pretty reasonable. The only issue is getting people to install this sort of tool.

----

quote:

Originally posted by fletc3her:Password rules hardly matter when most people's browser simply remembers the username and password for all their sites. For all the security that represents, sites may as well have a cookie that automatically logs on the users.

I mean how do you control access to the thousands of dollars worth of stuff in your house? With a physical key. Storing plaintext passwords on your computer just turns your computer into a big physical key. If it's good enough for your house it's good enough for your facebook account. Cookies present other problems. I'd much rather have people with many good passwords saved on their PCs than with one password they use everywhere.

This is the same kind of attitude that caused the problem in the first place. Real security isn't about preventing highly motivated adversaries from gaining access but about reducing expected harm from impersonation. Often this means that easy but less theoretically secure approaches should be used.

quote:

Originally posted by Kazper:A really interesting detail that isn't mentioned is what happens when you add on some IT-admins preference for requiring password changes regularly.

Simple consequence of their rewards and penalties. As an admin you want to be able to point to "strong" security policies you put in place, especially if there is ever a breakin. Unfortunately we never blame people for overly stringent safety standards and tend to penalize people who suggest they aren't needed.

This problem is actually pretty pervasive in society. It's the same tendency that results in DARE programs in schools and overwrought warnings about pot even though scaremongering about pot reduces the effectiveness of warnings about more dangerous drugs. It's the same reason we tell teens that sex before marriage is never a good idea, and why we keep reducing the maximum BAC without studies showing what sort of effect this will have.

Originally posted by jonjermey:I agree with all this, but I can't say that I was impressed by the first study. So someone can pretend to be me on MySpace? Big deal! What are they going to do, write rude things to all my friends and make them hate me?

I have strong passwords for the three or four accounts that matter because they involve money transfers. I have the same weak password for everything else because I don't give a toss whether someone breaks into them or not.

Or even just slightly modified weak passwords. If you install a secure password just to comment on someone's blog, you're wasting your time.

^Exactly. Recognize that different security levels deserve more or less pain. I do the same thing, a few very strong passwords for very important things, and a generic medium password for the 87 forums, company sites, etc. that all somewhat retardedly demand a password.

If security is actually a goal here, and users actually have to learn something to help accomplish it, then help users and properly utilize their time and memory effort by teaching them a simple and effective strategy for creating strong enough passwords that are easy to remember.

One of the tricks that I like is picking random vectors across a keyboard. It can be easy and I imagine quite strong, with a random character thrown in for good measure. Length becomes a non-issue:

"qwer,asdf.zxcv/" is a bad example. "/li7.ku6 ,jy5" (long left-leaning diagonals plus a space to mix it up)"kjhgiuyt8765zkjhgiuyt8765" is like drumming fingers, with a "z" for mixup

Work password is fairly simple because of the 3 month thing - I gave up strong passwords after a year when I couldn't think of anything else. Oh yeah, sometimes Services for Unix goofs and forces you to change passwords so you can log onto NIS again.

Sometimes it's easier to just have a very nice and strong 12 character password with lowercase/uppercase/symbols/numbers as long as it isn't changed very often.

And yes, I have my browser remember credentials. I can't friggin' remember them for sites I visit once a year or less. Online banking though, no remembering.

There's a simple solution, use a password manager. I use keepass to manage and generate 100+ bit passwords. Considering that almost all competent websites have an failed login limit, trying to bruteforce a randomly generated password is probably a wasted effort.

Originally posted by wanorris:Or even just slightly modified weak passwords. If you install a secure password just to comment on someone's blog, you're wasting your time.

Yep. I'm the same way. This site here, 1Password says 'Weak' and indeed it is. It's the same password (and user display name) for many such sites. Other very insignificant sites that ask for my email accounts get my homepage email account instead so I don't get much spam (Facebook); you're not worthy enough to email me or know my real name. And quit asking for my mobile #, that ain't gonna happen; if you want to speak to me you'll call the house then the house calls me -I don't get many mobile calls. At work, I have a list of common passwords that I use for when we have to change every 2 months; just tick it off -they stay locked away... somewhere.

Originally posted by Devilbunny:Agree with the hate on mandatory changes. I have a couple of VERY secure passwords that I will never forget and that would be extraordinarily hard to guess. Numbers, capitals, lowercase. No symbols. Why can't I use it?

People's perception of something secure and what is actually cryptographically secure can be a world apart.